In January 2006, Michael Witt was appointed deputy director of the U.S. Computer Emergency Readiness Team within the Department of Homeland Security’s National Cyber Security Division. He leads US-CERT in protecting the nation’s Internet infrastructure by coordinating the response to cyberattacks. Network World national correspondent Carolyn Duffy Marsan interviewed Witt about the Estonian cyberattack and its implications for U.S. network managers. Here are excerpts from their conversation:
Now that it’s behind us, what is the conventional wisdom about what happened in the Estonian attack?
The attacks had to do with the [movement of the Russian war memorial] statue. It was a hactivism attack. The Estonian government termed it a cyber-riot. It was more politically motivated than anything else.
We became involved when the Estonian government, which is a new member of NATO, asked for cyber-response assistance. The Defense Department, which represents the U.S. in NATO, contacted the US-CERT to provide assistance. We reached out to the Estonian national level CERT and started working with them to mitigate the denial-of-service attacks that were impacting their government networks and critical infrastructure.
The first thing we did over here was look for any attack originating out of the U.S. government, of which there were none, or the U.S. as a whole. The attacks consisted of botnets that were being controlled. It’s not that we had U.S. citizens involved, but we had their home computers assisting [the attacks.]
We identified approximately 2,000 computers, primarily home computers, and we worked with the National Communications System, which is a sister directorate to the National Cybersecurity Division that works with the ISPs that control the backbone of the Internet. Working with the ISPs, we asked them to help mitigate the attacks out of the U.S. toward the Estonian government as well as the U.S. ISPs that have global presence [to help stop attacks] that were going to the Estonian networks.
We also reached out to the North American Network Operators’ Group, NANOG. This group is made up of the operators that help control the backbone of the Internet. This group was set up to combat the original denial-of-service attack in the 1999/2000 timeframe. So there’s a longstanding partnership among the ISPs to deal with denial-of-service attacks. This was not anything new to them. They worked diligently to track traffic headed toward [Estonia]. We also worked with the Estonian national CERT and with the NANOG community, in mitigating the attacks.
We also worked to identify attacks coming out of other NATO-allied countries and worked with those national CERTS in the form of incident response teams. There is a virtual group of national incident response teams, the CERTS, as well as the private sector that work together to try to ensure that cyberspace stays friendly and healthy.
This was an international presence that was working jointly together to mitigate the attacks going against the Estonian government and its critical infrastructure. We worked jointly as an international community, and it worked to mitigate a lot of the attacks going against them.
As far as the attack itself, it was a standard denial-of-service attack. Right?
What was different about it was the intensity of the attack and that they had a list of political targets that they were providing through open forums.
Would you classify the Estonian attack as cyberwarfare?
I would call it more of a political statement.
What was different about the Estonian attack than what U.S. CERT has seen in the past?
It was more of a political statement surrounding the movement of the statue as opposed to attacks for financial gain. We’ve seen hactivism before. These attacks come and go, but they are far and few in between.
What are the lessons learned from the Estonian attack and response?
It raised the awareness of the importance of cybersecurity, not just to Estonia, but to all nations and their critical infrastructures and also to their economies and homeland security. The Estonian attacks included financial targets. We helped the Estonian government and their national CERT, working with their ISPs locally, combat the attacks. The ISPs that support Estonia’s financial services and government provided more bandwidth than the size of the DoS attack, which helped ease up the attack.
How real is the threat of cyberwar for U.S. network operators?
I think the U.S. would respond a little bit differently to this attack if it was against our infrastructure. The U.S. critical infrastructure is a lot more robust. We have worked diligently with our critical infrastructure owners and operators, whether in the telecom industry or the IT industry or the chemical or energy sectors. We’ve been working at this for many years to make sure we have a more robust type of backbone to deal with this kind of attack.
Is that to say we are 100 per cent protected against this type of attack? Absolutely not. It all comes back to best practices and having plans in place to deal with attacks.
I’m not prepared to call this cyberwarfare.
How real is the threat of politically motivated attacks?
It’s out there, but the attacks are very few and far between.
Are politically motivated attacks on the rise?
With the amount of attention that the Estonian attacks are getting, they could potentially [be on the rise.] Some other political entities may want to try to mirror these attacks to see if they can get the same notoriety that the Estonian attack achieved.
Are there specific industries that should worry about politically motivated attacks?
The nation should be consciously aware of what happened in Estonia. We need to make sure our networks are secure and make sure that they are where we need them to be and that we have instant response. When the attack occurs is not the time to find out who you need to be calling and making friends with. You have to have plans in place, and you need to have exercised those plans.
Does the U.S. CERT have plans for future cybersecurity exercises?
The U.S. CERT will be working with the Defense Department later this fall in an exercise called Zenith. In March 2008, the Department of Homeland Security and U.S. CERT will take part in Cyberstorm II, which is a national-level exercise that includes our international counterparts and includes many representatives of the critical infrastructure across the U.S., several state governments and international governments. We will have lots of critical infrastructure involved, but I’m not prepared to say which ones at this point.
What more should the U.S. be doing to get ready for politically motivated attacks?
Network operators need to take another look at their systems as political targets. There may be individuals out there or groups that don’t agree with a company’s motives or what they’re doing. They need to have around the clock, seven days a week, operational teams monitoring their networks. They need to have network cognizance. They need to know what their infrastructure is and be able to monitor it. There are a lot of large corporations out there that may not know exactly what their networks [are]. They need to train and educate their workforce about cybersecurity.
What should U.S. CIOs be doing to defend against cyberwar or other politically motivated attacks?
It gets back to making sure they have policies in place, plans in place and that they are empowering their information security officers to be able to defend their networks. They need to ensure that their workforce is educated to know that something is not right and that they know who to call.
What do you see as the top three threats for U.S. network operators and what should be done about them?
I wouldn’t say that political attacks would be among the top threats from our standpoint.
We’re seeing a lot of socially engineered attacks, such as phishing. When things come into your e-mail in-box, you shouldn’t assume that the links are truly from your bank. Identity theft is definitely on the rise.
The Internet has come a long way from where it was 10 years ago. It used to be that attacks were designed to take down networks. Now the bad guys have found a way to make a profit. They don’t want the Internet to be taken down.
Network operators are going to be seeing activity against their firewalls and their networks, and they need to make sure they are cognizant that is happening. If an attack occurs, can you identify what is critical on your network and what the impact will be if it is taken away as a resource?
It all comes down to training and educating your people. You need to ensure your technical people have standard operating procedures, plans and policies in place to deal with attacks and insider threats. It really comes down to making sure you have policies in place that are enforceable and that you have plans in place to deal with something as it arises.
What do you think will happen next in the area of cyberwar or hactivism?
I don’t know. It will happen again, but I don’t necessarily know if it’s going to be [an attack as occurred in Estonia.] We’re sort of in uncharted territory. You don’t know what is going to upset an individual or a group to see if later they will launch a cyberattack.
Will politically motivated attacks be more frequent?
There is the potential for it to be more frequent based on the attention brought to what happened in Estonia.